Moreover, when a user is terminated, you want the account disabled immediately, not several hours later when the scheduled task runs.

And why even bring a GPO into this? Just create the scheduled task, if that's what your going to do.

Complexity for complexity's sake is usually poor design; this is like a Rube Goldberg Machine of disabling users.

even though task will be triggered to run automatically the movement users is moved to disabled OU with event that generates while moving but its not a good idea, sometime even disabled users are able to sign in to computer or log in to exchange.

The best thing here is reset the password and disabled the account and move to the OU manually, I dont think termination or user leaving the organisation happens that often..

Yes, that's an option. But because we want to keep our disabled accounts in a different OU (as users often come back after some time) I was thinking about this way. But if it's not possible we'll do the extra click.

run a scheduled task that looks at all users in a specific OU, and disables any that aren't already disabled. You could certainly take other actions, too, like removing from groups, disabling the mailbox, hiding from the GAL, etc.

Yes as people have said Powershell CAN do it for you, however it depends on your work flow on how you script it.

Do you manually move the user to "Disabled users OU"?

What vector are you in? If user move in and out regularly when they return how do you re-enable the account? Is there a licensing, or other need to move the users from their OU when they leave, or is this a cosmetic change?

Moreover, when a user is terminated, you want the account disabled immediately, not several hours later when the scheduled task runs.

And why even bring a GPO into this? Just create the scheduled task, if that's what your going to do.

Complexity for complexity's sake is usually poor design; this is like a Rube Goldberg Machine of disabling users.

even though task will be triggered to run automatically the movement users is moved to disabled OU with event that generates while moving but its not a good idea, sometime even disabled users are able to sign in to computer or log in to exchange.

The best thing here is reset the password and disabled the account and move to the OU manually, I dont think termination or user leaving the organisation happens that often..

I agree with Jiten. Inactive accounts may cause fatal damages to the organization, especially when they are not disabled or when they are with no password expiry limits. Thus, they are an open invitation for anyone looking to compromise an organization’s security.

If you want the user to be disabled (in fact, you need to properly deprovision the user, not just disable) immediately after it's moved to a specific OU, you can do it with Adaxes.

You need to create an automation rule that will be triggered after the user is moved to the OU you define and execute a set of tasks of your choice. You can include custom conditions, approvals, etc. to fit the exact needs of your particular environment. The rule itself will look something like that: